W3C home > Mailing lists > Public > public-html@w3.org > November 2011

Re: document.write() and .close() allowed on IFRAME though its document.domain was set

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 21 Nov 2011 17:33:51 -0500
Message-ID: <4ECAD1CF.7030401@mit.edu>
To: public-html@w3.org
On 11/21/11 4:09 PM, Hallvord R. M. Steen wrote:
> I know Opera has had (and still has) some security checks in DOM that
> other browsers do not have - but here we're looking up 'contentDocument'
> on 'iframe', and that certainly must be subject to security checks in
> all UAs, right?

In at least the case of Gecko, about:blank iframes have the same origin 
_object_ as the page that loaded them.

That is, when document.domain is set on that iframe, it changes the 
document.domain of the page that loaded it as well (or more precisely, 
changes the single object that both documents have pointers to and which 
represents the origin of the outer page).

Arguably the Gecko behavior here is sort of buggy....

> This currently causes a problem on eBay. Do we need to fix HTML5 to
> align with Chrome/Firefox?

It would be good to understand why it works in WebKit; I didn't think 
they did the same "share the origin object" thing Gecko does here.

-Boris
Received on Monday, 21 November 2011 22:34:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:41 GMT